iam-policy-validator 1.0.4__py3-none-any.whl → 1.1.0__py3-none-any.whl

{iam_policy_validator-1.0.4.dist-info → iam_policy_validator-1.1.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.0.4
+Version: 1.1.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -70,7 +70,8 @@ A high-performance GitHub Action and Python CLI tool that validates AWS IAM poli
 - **Comment Updates**: Update existing comments instead of creating duplicates
 
 ### Output Formats
-- **Console**: Rich terminal output with colors and tables
+- **Console** (default): Clean terminal output with colors and tables
+- **Enhanced**: Modern visual output with progress bars, tree structure, and rich visuals
 - **JSON**: Structured format for programmatic processing
 - **Markdown**: GitHub-flavored markdown for PR comments
 - **SARIF**: GitHub code scanning integration format
@@ -87,9 +88,11 @@ A high-performance GitHub Action and Python CLI tool that validates AWS IAM poli
 
 ### As a GitHub Action (Recommended) ⭐
 
-The easiest way to use IAM Policy Validator is as a GitHub Action in your workflows.
+The IAM Policy Validator is available as **both** a standalone GitHub Action and a Python module. Choose the approach that best fits your needs:
 
-#### Basic Validation
+#### **Option A: Standalone GitHub Action** (Recommended - Zero Setup)
+
+Use the published action directly - it handles all setup automatically:
 
 Create `.github/workflows/iam-policy-validator.yml`:
 
@@ -121,7 +124,13 @@ jobs:
           fail-on-warnings: true
 ```
 
-#### With AWS Access Analyzer
+**Benefits:**
+- ✅ Zero setup - action handles Python, uv, and dependencies
+- ✅ Automatic dependency caching
+- ✅ Simple, declarative configuration
+- ✅ Perfect for CI/CD workflows
+
+#### With AWS Access Analyzer (Standalone Action)
 
 Use AWS's official policy validation service:
 
@@ -162,7 +171,61 @@ jobs:
           fail-on-warnings: true
 ```
 
-#### Custom Policy Checks
+#### **Option B: As Python Module/CLI Tool**
+
+For advanced use cases or when you need more control:
+
+```yaml
+name: IAM Policy Validation (CLI)
+
+on:
+  pull_request:
+    paths:
+      - 'policies/**/*.json'
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Validate IAM Policies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          uv run iam-validator validate \
+            --path ./policies/ \
+            --github-comment \
+            --github-review \
+            --fail-on-warnings \
+            --log-level info
+```
+
+**Use this when you need:**
+- Advanced CLI options (e.g., `--log-level`, `--custom-checks-dir`, `--stream`)
+- Full control over the Python environment
+- Integration with existing Python workflows
+- Multiple validation commands in sequence
+
+#### Custom Policy Checks (Standalone Action)
 
 Enforce specific security requirements:
 
@@ -231,7 +294,22 @@ jobs:
           fail-on-warnings: true
 ```
 
-#### Multiple Paths
+---
+
+### Choosing the Right Approach
+
+| Feature               | Standalone Action        | Python Module/CLI                                                        |
+| --------------------- | ------------------------ | ------------------------------------------------------------------------ |
+| Setup Required        | None - fully automated   | Manual (Python, uv, dependencies)                                        |
+| Configuration         | YAML inputs              | CLI arguments                                                            |
+| Advanced Options      | Limited to action inputs | Full CLI access (`--log-level`, `--custom-checks-dir`, `--stream`, etc.) |
+| Custom Checks         | Via config file only     | Via config file or `--custom-checks-dir`                                 |
+| Best For              | CI/CD, simple workflows  | Development, advanced workflows, testing                                 |
+| Dependency Management | Automatic                | Manual                                                                   |
+
+**Recommendation:** Use the **Standalone Action** for production CI/CD workflows, and the **Python Module/CLI** for development, testing, or when you need advanced features.
+
+#### Multiple Paths (Standalone Action)
 
 Validate policies across multiple directories:
 
@@ -305,7 +383,7 @@ action_condition_enforcement_check:
         - condition_key: "iam:PassedToService"
 ```
 
-See [iam-validator.yaml](iam-validator.yaml) for a complete configuration example.
+See [default-config.yaml](default-config.yaml) for a complete configuration example.
 
 ### GitHub Action Inputs
 
@@ -316,12 +394,12 @@ See [iam-validator.yaml](iam-validator.yaml) for a complete configuration exampl
 | `fail-on-warnings`            | Fail validation if warnings are found                                  | No       | `false`           |
 | `post-comment`                | Post validation results as PR comment                                  | No       | `true`            |
 | `create-review`               | Create line-specific review comments on PR                             | No       | `true`            |
-| `format`                      | Output format (console, json, markdown, sarif, csv, html)              | No       | `console`         |
+| `format`                      | Output format (console, enhanced, json, markdown, sarif, csv, html)    | No       | `console`         |
 | `output-file`                 | Path to save output file                                               | No       | ""                |
 | `recursive`                   | Recursively search directories for policy files                        | No       | `true`            |
 | `use-access-analyzer`         | Use AWS IAM Access Analyzer for validation                             | No       | `false`           |
 | `access-analyzer-region`      | AWS region for Access Analyzer                                         | No       | `us-east-1`       |
-| `policy-type`                 | Policy type (IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY) | No       | `RESOURCE_POLICY` |
+| `policy-type`                 | Policy type (IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY) | No       | `IDENTITY_POLICY` |
 | `run-all-checks`              | Run custom checks after Access Analyzer                                | No       | `false`           |
 | `check-access-not-granted`    | Actions that should NOT be granted (space-separated)                   | No       | ""                |
 | `check-access-resources`      | Resources to check with check-access-not-granted                       | No       | ""                |

{iam_policy_validator-1.0.4.dist-info → iam_policy_validator-1.1.0.dist-info}/RECORD

@@ -2,18 +2,18 @@ iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
 iam_validator/__version__.py,sha256=YOIURWR5ocuvaQTQgwFi1XjHm_ifJDzicMOQSJZqmZc,206
 iam_validator/checks/__init__.py,sha256=q-_rIYGZJMjsiHK-R_3CbSUCBVGN5e137LPNDnMRZmw,841
-iam_validator/checks/action_condition_enforcement.py,sha256=3V8Wnz6BYnataKzuFMx8fHukVjzpIZaVfde9-RqZjPc,25357
+iam_validator/checks/action_condition_enforcement.py,sha256=3M1Wj89Af6H-ywBTruZbJPzhCBBQVanVb5hwv-fkiDE,29721
 iam_validator/checks/action_validation.py,sha256=KbUw1SV-2nN-HtLlj3zrE6sdd0z8iAF0ubqz35Vwb7c,6921
 iam_validator/checks/condition_key_validation.py,sha256=bc4LQ8IRKyt0RquaQvQvVjmeJnuOUAFRL8xdduLPa_U,2661
 iam_validator/checks/policy_size.py,sha256=4cvZiWRJXGuvYo8PRcdD1Py_ZL8Xw0lOJfXTs6EX-_I,5753
 iam_validator/checks/resource_validation.py,sha256=AEIoiR6AKYLuVaA8ne3QE5qy6NCMDe98_2JAiwE9-JU,4261
-iam_validator/checks/security_best_practices.py,sha256=Sr3aiLbki8_M3U9qJv7u0fM__GjJRfZzWmJVgJ3ODSw,28185
+iam_validator/checks/security_best_practices.py,sha256=OCAtbsO9HEK97DVPPnm-hJDQtf-ATlnwa1LLshweZDk,32045
 iam_validator/checks/sid_uniqueness.py,sha256=7S8RtVJgYPTKgr7gSEmxgT0oIGkSoXN6iu0ALHbcSfw,5015
 iam_validator/commands/__init__.py,sha256=zuhECuz-1Us5hBNAJtdMae8LaYn1eNeoYPBmQPMwI94,357
 iam_validator/commands/analyze.py,sha256=TWlDaZ8gVOdNv6__KQQfzeLVW36qLiL5IzlhGYfvq_g,16501
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
 iam_validator/commands/post_to_pr.py,sha256=hl_K-XlELYN-ArjMdgQqysvIE-26yf9XdrMl4ToDwG0,2148
-iam_validator/commands/validate.py,sha256=zdfay29HX1v4uz_LfzUUgC4-VUy8TTg5CGfZlAeEWXc,13779
+iam_validator/commands/validate.py,sha256=R295cOTly8n7zL1jfvbh9RuCgiM5edBqbf6YMn_4G9A,14013
 iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
 iam_validator/core/access_analyzer.py,sha256=poeT1i74jXpKr1B3UmvqiTvCTbq82zffWgZHwiFUwoo,24337
 iam_validator/core/access_analyzer_report.py,sha256=iTIFKul6zQZd2qBg8V6zaDNPMKF8D_XDSX6pJwXFVYY,24791
@@ -21,25 +21,27 @@ iam_validator/core/aws_fetcher.py,sha256=fUCIMItIWmrbgsoVCz_9Oe5k3SjuXBlNBVwQ60I
 iam_validator/core/aws_global_conditions.py,sha256=ADVcMEWhgvDZWdBmRUQN3HB7a9OycbTLecXFAy3LPbo,5837
 iam_validator/core/check_registry.py,sha256=wXg4Yw5LJ-rAVLiPUIJOtw8Y49Q1PY00Zbu37LzyjHY,15477
 iam_validator/core/cli.py,sha256=5UHsHS8o7Fkag4d6MNaaqjCFSGu8evCIbtpa81591lE,3831
-iam_validator/core/config_loader.py,sha256=k4D5TT_D6B9N8BbIEg0nE3wUXu0naFLHOVVJsjYZzh4,14880
-iam_validator/core/models.py,sha256=SUEbxDUtkX1uvgMy6-LPzomyGu82PTpXdDXZ9RKqfTY,9655
+iam_validator/core/config_loader.py,sha256=6Px_JEzk8WU6g8KXaSLme3x8qZXT9oppxUVXYyDkboY,16425
+iam_validator/core/defaults.py,sha256=JzuDYNQGERDtX9S8E5grr4KZmooSephJW8KRplT34L8,10956
+iam_validator/core/models.py,sha256=rWIZnD-I81Sg4asgOhnB10FWJC5mxQ2JO9bdS0sHb4Q,10772
 iam_validator/core/policy_checks.py,sha256=xK5CntsEKVDgN27uIdQ92jCL97t7eBqOk0SChWU9cgw,23872
 iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
 iam_validator/core/pr_commenter.py,sha256=TOhVXKTFcRHQ9EVuShXQcKXn9aNjB1mU6FnR2jvltmw,10581
-iam_validator/core/report.py,sha256=6k2A82EuhI72y-xCXbxRbykYcBvUP0z977pjUk9w1Cc,28977
-iam_validator/core/formatters/__init__.py,sha256=ggIKrI_Uu6tnKBLnUbBaXgaIXeL-JAGwUOrfSql6sow,774
+iam_validator/core/report.py,sha256=aRM1mYlDjkPmQrUZtcq2akbviLPVTSa8q_mH7XyuuK4,32897
+iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
 iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
-iam_validator/core/formatters/console.py,sha256=qkKWcxETRWDr62Zmkz0NXG4oS9hj2LwDX8uH4MoSX0s,750
-iam_validator/core/formatters/csv.py,sha256=hyop9gddZc1eOjUvd1YJjxbo8FNlLG7Rvh6UkSCEAhU,5565
-iam_validator/core/formatters/html.py,sha256=kW0BVTTX8PbiEbct8mXIyqTiO6jdsGjyK6Y3NNVeRaI,19317
+iam_validator/core/formatters/console.py,sha256=lX4Yp4bTW61fxe0fCiHuO6bCZtC_6cjCwqDNQ55nT_8,1937
+iam_validator/core/formatters/csv.py,sha256=2FaN6Y_0TPMFOb3A3tNtj0-9bkEc5P-6eZ7eLROIqFE,5899
+iam_validator/core/formatters/enhanced.py,sha256=6hRiATRpH6Osqf_y6C58VN48L47AXYP3Dm9R90VMGs8,16432
+iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
 iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
-iam_validator/core/formatters/markdown.py,sha256=FccevVlD_mC6wtrWsya2Uo-NEphyuWsZyFar9x_ZT2g,1859
+iam_validator/core/formatters/markdown.py,sha256=aPAY6FpZBHsVBDag3FAsB_X9CZzznFjX9dQr0ysDrTE,2251
 iam_validator/core/formatters/sarif.py,sha256=tqp8g7RmUh0HRk-kKDaucx4sa-5I9ikgkSpy1MM8Vi4,7200
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
 iam_validator/integrations/github_integration.py,sha256=bKs94vNT4PmcmUPUeuY2WJFhCYpUY2SWiBP1vj-andA,25673
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_policy_validator-1.0.4.dist-info/METADATA,sha256=QQAQsAQCDiPen37apynaUzYjOUmiTpn8NYgrM6C7l0E,22070
-iam_policy_validator-1.0.4.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.0.4.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.0.4.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.0.4.dist-info/RECORD,,
+iam_policy_validator-1.1.0.dist-info/METADATA,sha256=a_cegBs1dAS4y_ByXskcvgXY3CNsqC-7frERfdQR27k,25144
+iam_policy_validator-1.1.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.1.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.1.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.1.0.dist-info/RECORD,,

iam_validator/checks/action_condition_enforcement.py

@@ -139,8 +139,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         # Check each requirement rule
         for requirement in action_condition_requirements:
             # Check if this requirement applies to the statement's actions
-            actions_match, matching_actions = self._check_action_match(
-                statement_actions, requirement
+            actions_match, matching_actions = await self._check_action_match(
+                statement_actions, requirement, fetcher
             )
 
             if not actions_match:
@@ -186,8 +186,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
         return issues
 
-    def _check_action_match(
-        self, statement_actions: list[str], requirement: dict[str, Any]
+    async def _check_action_match(
+        self, statement_actions: list[str], requirement: dict[str, Any], fetcher: AWSServiceFetcher
     ) -> tuple[bool, list[str]]:
         """
         Check if statement actions match the requirement.
@@ -208,18 +208,25 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 if stmt_action == "*":
                     continue
 
-                # Check exact matches
-                if stmt_action in actions_config:
-                    matching_actions.append(stmt_action)
+                # Check if this statement action matches any of the required actions or patterns
+                # Use _action_matches which handles wildcards in both statement and config
+                matched = False
 
-                # Check pattern matches
-                for pattern in action_patterns:
-                    try:
-                        if re.match(pattern, stmt_action):
-                            matching_actions.append(stmt_action)
-                            break
-                    except re.error:
-                        continue
+                # Check against configured actions
+                for required_action in actions_config:
+                    if await self._action_matches(
+                        stmt_action, required_action, action_patterns, fetcher
+                    ):
+                        matched = True
+                        break
+
+                # If not matched by actions, check if wildcard overlaps with patterns
+                if not matched and "*" in stmt_action:
+                    # For wildcards, also check pattern overlap directly
+                    matched = await self._action_matches(stmt_action, "", action_patterns, fetcher)
+
+                if matched and stmt_action not in matching_actions:
+                    matching_actions.append(stmt_action)
 
             return len(matching_actions) > 0, matching_actions
 
@@ -231,20 +238,28 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
             # Check all_of: ALL specified actions must be in statement
             if all_of:
-                all_present = all(
-                    any(
-                        self._action_matches(stmt_action, req_action, action_patterns)
-                        for stmt_action in statement_actions
-                    )
-                    for req_action in all_of
-                )
+                all_present = True
+                for req_action in all_of:
+                    found = False
+                    for stmt_action in statement_actions:
+                        if await self._action_matches(
+                            stmt_action, req_action, action_patterns, fetcher
+                        ):
+                            found = True
+                            break
+                    if not found:
+                        all_present = False
+                        break
+
                 if not all_present:
                     return False, []
 
                 # Collect matching actions
                 for stmt_action in statement_actions:
                     for req_action in all_of:
-                        if self._action_matches(stmt_action, req_action, action_patterns):
+                        if await self._action_matches(
+                            stmt_action, req_action, action_patterns, fetcher
+                        ):
                             if stmt_action not in matching_actions:
                                 matching_actions.append(stmt_action)
 
@@ -253,7 +268,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 any_present = False
                 for stmt_action in statement_actions:
                     for req_action in any_of:
-                        if self._action_matches(stmt_action, req_action, action_patterns):
+                        if await self._action_matches(
+                            stmt_action, req_action, action_patterns, fetcher
+                        ):
                             any_present = True
                             if stmt_action not in matching_actions:
                                 matching_actions.append(stmt_action)
@@ -266,7 +283,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 forbidden_actions = []
                 for stmt_action in statement_actions:
                     for forbidden_action in none_of:
-                        if self._action_matches(stmt_action, forbidden_action, action_patterns):
+                        if await self._action_matches(
+                            stmt_action, forbidden_action, action_patterns, fetcher
+                        ):
                             forbidden_actions.append(stmt_action)
 
                 # If forbidden actions are found, this is a match for flagging
@@ -277,15 +296,23 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
         return False, []
 
-    def _action_matches(
-        self, statement_action: str, required_action: str, patterns: list[str]
+    async def _action_matches(
+        self,
+        statement_action: str,
+        required_action: str,
+        patterns: list[str],
+        fetcher: AWSServiceFetcher,
     ) -> bool:
         """
         Check if a statement action matches a required action or pattern.
         Supports:
         - Exact matches: "s3:GetObject"
-        - AWS wildcards: "s3:*", "s3:Get*"
+        - AWS wildcards in both statement and required actions: "s3:*", "s3:Get*", "iam:Creat*"
         - Regex patterns: "^s3:Get.*", "^iam:Delete.*"
+
+        This method handles bidirectional wildcard matching using real AWS actions from the fetcher:
+        - statement_action="iam:Create*" matches required_action="iam:CreateUser"
+        - statement_action="iam:C*" matches pattern="^iam:Create" (by checking actual AWS actions)
         """
         if statement_action == "*":
             return False
@@ -304,6 +331,63 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             except re.error:
                 pass
 
+        # AWS wildcard match in statement_action (e.g., "iam:Creat*" in policy)
+        # Check if this wildcard would grant access to actions matching our patterns
+        if "*" in statement_action:
+            # Convert statement wildcard to regex pattern
+            stmt_wildcard_pattern = statement_action.replace("*", ".*").replace("?", ".")
+
+            # Check if statement wildcard overlaps with required action
+            if "*" not in required_action:
+                # Required action is specific (e.g., "iam:CreateUser")
+                # Check if statement wildcard would grant it
+                try:
+                    if re.match(f"^{stmt_wildcard_pattern}$", required_action):
+                        return True
+                except re.error:
+                    pass
+
+            # Check if statement wildcard overlaps with any of our action patterns
+            # Strategy: Use real AWS actions from the fetcher instead of hardcoded guesses
+            # For example: "iam:C*" should match pattern "^iam:Create" because:
+            # - "iam:C*" grants iam:CreateUser, iam:CreateRole, etc. (from AWS)
+            # - "^iam:Create" pattern is meant to catch iam:CreateUser, iam:CreateRole, etc.
+            # - Therefore they overlap
+            if patterns:
+                try:
+                    # Parse the service from the wildcard action
+                    service_prefix, _ = fetcher.parse_action(statement_action)
+
+                    # Fetch the real list of actions for this service
+                    service_detail = await fetcher.fetch_service_by_name(service_prefix)
+                    available_actions = list(service_detail.actions.keys())
+
+                    # Find which actual AWS actions the wildcard would grant
+                    _, granted_actions = fetcher._match_wildcard_action(
+                        statement_action.split(":", 1)[1],  # Just the action part (e.g., "C*")
+                        available_actions,
+                    )
+
+                    # Check if any of the granted actions match our patterns
+                    for granted_action in granted_actions:
+                        full_granted_action = f"{service_prefix}:{granted_action}"
+                        for pattern in patterns:
+                            try:
+                                if re.match(pattern, full_granted_action):
+                                    return True
+                            except re.error:
+                                continue
+
+                except (ValueError, Exception):
+                    # If we can't fetch the service or parse the action, fall back to prefix matching
+                    stmt_prefix = statement_action.rstrip("*")
+                    for pattern in patterns:
+                        try:
+                            if re.match(pattern, stmt_prefix):
+                                return True
+                        except re.error:
+                            continue
+
         # Regex pattern match (from action_patterns config)
         for pattern in patterns:
             try:

iam_validator/checks/security_best_practices.py

@@ -91,14 +91,27 @@ class SecurityBestPracticesCheck(PolicyCheck):
         if self._is_sub_check_enabled(config, "wildcard_action_check"):
             if "*" in actions:
                 severity = self._get_sub_check_severity(config, "wildcard_action_check", "warning")
+                sub_check_config = config.config.get("wildcard_action_check", {})
+
+                message = sub_check_config.get("message", "Statement allows all actions (*)")
+                suggestion_text = sub_check_config.get(
+                    "suggestion", "Consider limiting to specific actions needed"
+                )
+                example = sub_check_config.get("example", "")
+
+                # Combine suggestion + example like action_condition_enforcement does
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
+
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="overly_permissive",
-                        message="Statement allows all actions (*)",
-                        suggestion="Consider limiting to specific actions needed",
+                        message=message,
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )
@@ -109,14 +122,27 @@ class SecurityBestPracticesCheck(PolicyCheck):
                 severity = self._get_sub_check_severity(
                     config, "wildcard_resource_check", "warning"
                 )
+                sub_check_config = config.config.get("wildcard_resource_check", {})
+
+                message = sub_check_config.get("message", "Statement applies to all resources (*)")
+                suggestion_text = sub_check_config.get(
+                    "suggestion", "Consider limiting to specific resources"
+                )
+                example = sub_check_config.get("example", "")
+
+                # Combine suggestion + example
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
+
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="overly_permissive",
-                        message="Statement applies to all resources (*)",
-                        suggestion="Consider limiting to specific resources",
+                        message=message,
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )
@@ -125,14 +151,31 @@ class SecurityBestPracticesCheck(PolicyCheck):
         if self._is_sub_check_enabled(config, "full_wildcard_check"):
             if "*" in actions and "*" in resources:
                 severity = self._get_sub_check_severity(config, "full_wildcard_check", "error")
+                sub_check_config = config.config.get("full_wildcard_check", {})
+
+                message = sub_check_config.get(
+                    "message",
+                    "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
+                )
+                suggestion_text = sub_check_config.get(
+                    "suggestion",
+                    "This grants full administrative access. Restrict to specific actions and resources.",
+                )
+                example = sub_check_config.get("example", "")
+
+                # Combine suggestion + example
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
+
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="security_risk",
-                        message="Statement allows all actions on all resources - CRITICAL SECURITY RISK",
-                        suggestion="This grants full administrative access. Restrict to specific actions and resources.",
+                        message=message,
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )
@@ -155,15 +198,43 @@ class SecurityBestPracticesCheck(PolicyCheck):
                         severity = self._get_sub_check_severity(
                             config, "service_wildcard_check", "warning"
                         )
+                        sub_check_config = config.config.get("service_wildcard_check", {})
+
+                        # Get message template and replace placeholders
+                        message_template = sub_check_config.get(
+                            "message",
+                            "Service-level wildcard '{action}' grants all permissions for {service} service",
+                        )
+                        suggestion_template = sub_check_config.get(
+                            "suggestion",
+                            "Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                        )
+                        example_template = sub_check_config.get("example", "")
+
+                        message = message_template.format(action=action, service=service)
+                        suggestion_text = suggestion_template.format(action=action, service=service)
+                        example = (
+                            example_template.format(action=action, service=service)
+                            if example_template
+                            else ""
+                        )
+
+                        # Combine suggestion + example
+                        suggestion = (
+                            f"{suggestion_text}\nExample:\n{example}"
+                            if example
+                            else suggestion_text
+                        )
+
                         issues.append(
                             ValidationIssue(
                                 severity=severity,
                                 statement_sid=statement_sid,
                                 statement_index=statement_idx,
                                 issue_type="overly_permissive",
-                                message=f"Service-level wildcard '{action}' grants all permissions for {service} service",
+                                message=message,
                                 action=action,
-                                suggestion=f"Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                                suggestion=suggestion,
                                 line_number=line_number,
                             )
                         )
@@ -177,13 +248,33 @@ class SecurityBestPracticesCheck(PolicyCheck):
 
             if is_sensitive and not has_conditions:
                 severity = self._get_sub_check_severity(config, "sensitive_action_check", "warning")
+                sub_check_config = config.config.get("sensitive_action_check", {})
 
-                # Create appropriate message based on matched actions
+                # Create appropriate message based on matched actions using configurable templates
                 if len(matched_actions) == 1:
-                    message = f"Sensitive action '{matched_actions[0]}' should have conditions to limit when it can be used"
+                    message_template = sub_check_config.get(
+                        "message_single",
+                        "Sensitive action '{action}' should have conditions to limit when it can be used",
+                    )
+                    message = message_template.format(action=matched_actions[0])
                 else:
                     action_list = "', '".join(matched_actions)
-                    message = f"Sensitive actions '{action_list}' should have conditions to limit when they can be used"
+                    message_template = sub_check_config.get(
+                        "message_multiple",
+                        "Sensitive actions '{actions}' should have conditions to limit when they can be used",
+                    )
+                    message = message_template.format(actions=action_list)
+
+                suggestion_text = sub_check_config.get(
+                    "suggestion",
+                    "Add conditions like 'aws:Resource/owner must match aws:Principal/owner', IP restrictions, MFA requirements, or time-based restrictions",
+                )
+                example = sub_check_config.get("example", "")
+
+                # Combine suggestion + example
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
 
                 issues.append(
                     ValidationIssue(
@@ -193,7 +284,7 @@ class SecurityBestPracticesCheck(PolicyCheck):
                         issue_type="missing_condition",
                         message=message,
                         action=(matched_actions[0] if len(matched_actions) == 1 else None),
-                        suggestion="Add conditions like 'aws:Resource/owner must match aws:Principal/owner', IP restrictions, MFA requirements, or time-based restrictions",
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )